Technical Tip: What popups occur in the FortiDLP Agent
| Description | This article describes what popups occur in the FortiDLP Agent. |
| Scope | FortiDLP. |
| Solution | Overview: When installing the FortiDLP Agent on MacOS, some pop-ups may be displayed on the host machine. This document aims to state what pop-ups, expect to see and what pop-ups can suppressed during installation with the use of a Mobile Device Management (MDM) Platform. This document mentions the use of mobile config files. These files will install a profile onto MacOS devices. Refer to the FortiDLP Deployment Guide for more information.
MacOS. System and Network Extension (Installation) - Can be suppressed: When the agent is initially deployed on a machine, users are presented with a notification to install the system and network extension for the FortiDLP Agent:
 The above shows an example of the prompt displayed for the System/Network Extension. The above shows an example of the prompt displayed for the Network Content Filter. If the system and network extensions approvals are not pushed via the MDM, the FortiDLP Agent will push these extensions and the user will be subsequently notified to allow them. These prompts will continue to appear on each boot if no consent has been given by the user.
To suppress the notifications, install the system and network extension approvals on an end user's machine by pushing the systemExtensions.mobileconfig found in the macOS accessory bundle on the Downloads page.
System and Network Extension (Removal) - Can be Suppressed: When the FortiDLP Agent is uninstalled, the System and Network Extensions will need to be removed and unloaded from the Mac host. When done manually, the user will be prompted to provide their Administrator password to remove the extensions. There will be two notifications, one for each Extension.
These Extension removal notifications can be suppressed through MDM if running macOS 12 or later. In most cases, unassigning the device from the scope of the MDM configuration profile will remove the profiles without these prompts. Alternatively, the MDM profile can be modified to include the extension IDs as 'Removable System Extensions', which will allow the removal of the extensions without password prompts. 
The example above is from the JAMF Configuration profile with Removable System and Network Extensions.
Managed Login Items - Can be suppressed: Soon after the FortiDLP Agent is installed, users are presented with a managed login notification:
This was introduced in macOS 13 onwards to notify the end user that a new LaunchDaemon/LaunchAgent has been added to their device. This is used by the FortiDLP Agent to perform background tasks such as launching the agent process, the upgrade service, and the FortiDLP Agent Helper per user.
This can be suppressed by pushing the loginItemsandNotifications.mobileconfig found in the macOS accessory bundle on our Downloads page.
'FortiDLP Agent' would like to access files in ... - Can be suppressed: If users have a policy configured with Content Inspection, Full Disk Access must be granted to the FortiDLP Agent GUI application to allow the agent to perform Content Inspection. If permissions are not specified for the FortiDLP Agent application, users will be presented with the following prompt the first time the agent attempts to access a file in a particular directory.
In this scenario, the user is attempting to upload a file from their Desktop folder This can be suppressed by pushing the systemExtensions.mobileconfig found in the macOS accessory bundle on our Downloads page.
Screen Recording notification - Can potentially be suppressed: Screen Recording allows the FortiDLP Agent to perform screenshot actions when detection is triggered from a policy. This message will display the first time the FortiDLP Agent attempts to take a screenshot. When such an event does occur, this message will be displayed. 
If users decline this permission, this will be reflected by the agent's health reporting. For more details regarding health reporting refer to 'Resolving FortiDLP Agent Component Issues' in the FortiDLP Deployment Guide (Section 7.2) or the 'Agent Health Monitoring' Section of the FortiDLP UI guide. Apple MacOS has strict permissions requirements for this feature that require a user to explicitly grant this permission. This permission is unable to be allowed remotely or administratively and upon first-time use of the agent capturing input, a pop-up will be triggered. It is possible to use MDM to prevent the user from granting this permission, but not the inverse.
New in version 12.1.0 and above: The FortiDLP agent can now disable screenshots via the agent configuration ("Screenshot action" set to "off"). This will prevent the FortiDLP agent from requesting screenshots on the OS and prevent the pop-up from occurring. (No screenshots will be taken even if configured by policy).
Input Monitoring notification - Can potentially be suppressed: Input monitoring allows the FortiDLP Agent to capture keyboard input for use in policies. Upon enabling this feature in the agent configurations, host machines will be presented with this popup. If this feature is disabled, the popup will not be displayed. This will affect the agent health reporting and prevent some policies from working optimally.
If users decline this permission, it will be reflected in the agent's health reporting. For more details regarding health reporting refer to 'Resolving FortiDLP Agent Component Issues' in the FortiDLP Deployment Guide (Section 7.2) or the 'Agent Health Monitoring' Section of the FortiDLP UI guide.
Apple MacOS has strict permissions requirements for this feature that requires a user to specifically grant this permission. This permission is unable to be allowed remotely or administratively and upon first-time use of the agent capturing input, a pop-up will be triggered. It is possible to use MDM to prevent the user from granting this permission, but not the inverse.
'FortiDLP Agent Helper' is accessing your screen notification - Cannot be suppressed: This issue exclusively applies to macOS 15.2 devices on which the user has consented to FortiDLP Agent screen capture/recording. The internal investigation confirmed that the popup is displayed when all the following circumstances are true:
A similar prompt was added to provide weekly reminders of Screen recording access in v15.0 and reduced to monthly reminders in v15.1. This other prompt can be disabled using a mobileconfig profile with ForceBypassScreenCaptureAlert set. If the popup is ignored, it disappears after 15 seconds. If the popup is selected, System Settings opens at the Screen & System Audio Recording pane, showing screen recording is allowed for uk.ava.reveal.Reveal-Agent.
Whether the popup is clicked or ignored, on display of the popup, macOS 15.2 sets a new setting kScreenCapturePrivacyHintDate for 'uk.ava.reveal.Reveal-Agent' in ~/Library/Group\ Containers/group.com.apple.replayd/ScreenCaptureApprovals.plist to 90 days from the current date (kScreenCaptureApprovalLastUsed). No further popups are seen until the kScreenCapturePrivacyHintDate date, at that time the value is reset to 90 days from the current date again.
Windows: 'Toast' Notifications for USB activity - Windows - Cannot be suppressed: These notifications are presented to indicate to the user that there is activity occurring to a USB drive if USB file blocking has been enabled.
Windows and MacOS. USB file blocking notification - Windows/MacOS - Cannot be suppressed: When a FortiDLP Agent is configured for USB file transfer blocking this message will be presented. The notification is only shown when a user inserts a USB device for the first time and is purely informational. This message currently cannot be suppressed.
Windows, MacOS, and Linux. Browser upload notification - Can be suppressed: The FortiDLP Upload banner will show when an upload occurs within a supported browser. This banner is enabled by default within the agent configurations. This banner can be suppressed by setting the Browser Upload Notification setting to Off.
 |
